CVE-2022-43417 Katalon Plugin 1.0.32 and earlier doesn't perform permission checks in several HTTP endpoints, which allows attackers with Overall/Read permission to connect to attacker-specified URL using attacker-specified cred END>
This issue can be exploited to gain access to deployed applications that use Jenkins as a build repository, and potentially other services that are accessible via Jenkins, such as an on-premise or cloud application. This issue can be exploited to gain access to deployed applications that use Jenkins as a build repository, and potentially other services that are accessible via Jenkins, such as an on-premise or cloud application. In this example, we’ll use Jenkins as the build server. A user with overall/read permission can create a new job by clicking on the “+New Item” link. A user with overall/read permission can create a new job by clicking on the “+New Item” link.
In the “Source Code” field of the “Build script” tab, type the following script: https://{target_URL}.{malicious_domain}/login?credentials_id={malicious_credentials_id} In this example, we’ll use the credentials ID of “e5b5d5e5-5e5c-11e9-9e97-080027e78889” to connect to the Jenkins HTTP API. After the user has created the job, they can view the build logs by clicking on the “Build history” link on the left-hand side menu. In this example, we’ll use the credentials
Installation Steps
Step 1: Install Jenkins 2.0.3 or later on any platform that supports Java 8 and Tomcat 8 (e.g., Windows, Linux, Mac).
Step 2: Install the malicious plugins from the following URLs: https://plugins.jenkins-ci.org/plugins?action=show&name={malicious_plugin_name}&version={malicious_plugin_version} In this example, we’ll use the malicious plugin “Jenkins XSS Plugin” to exploit this vulnerability. Note: If you are unsure if a plugin is already installed on your system, you can use Java's “java -jar jenkins-cli-1.2.6-slim.jar” command to find out if an installed plugin's name exists in the list of system plugins (e.g., java -jar jenkins-cli-1.2.6-slim.jar | grep "plugins" ).
Step 3: Create a new profile for this malicious plugin by clicking on the “Generic Profile” option in the “Manage Plugins” section of Jenkins' web interface and then click on the “Add New Profile” button to create a new profile named "Jenkins XSS Plugin".
Step 4: Create a job named "Build Job with XSS payload" by clicking on "New Item" under your Jenkins instance and then filling out all
Timeline
Published on: 10/19/2022 16:15:00 UTC
Last modified on: 10/21/2022 03:17:00 UTC